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Abstract. In this paper, we consider the hidden subgroup problem (HSP) over the class of 
semi-direct product groups Zpr x Zg, for p and q prime. We first present a classification of these 
groups in five classes. Then, we describe a polynomial-time quantum algorithm solving the HSP 
over all the groups of one of these classes: the groups of the form Z^r xi Zp, where p is an odd 
prime. Our algorithm works even in the most general case where the group is presented as a 
black-box group with not necessarily unique encoding. Finally, we extend this result and present 
an efficient algorithm solving the HSP over the groups Z'" x: Zp. 



1 Introduction and Main Results 

Almost all the quantum algorithms discovered so far that realize an exponential speed-up with respect 
to the best known classical algorithms can be seen as instances of the Hidden Subgroup Problem (HSP), a 
problem that asks to find a subgroup H hidden inside a group G. In particular the integer factoring problem 
and the discrete logarithm problem, for which Shor has presented polynomial-time quantum algorithms [25] , 
and the periodicity finding problem, for which Simon has shown an efficient quantum algorithm |26| . are 
instances of the special case of the HSP where the group G is Abelian. More generally, a polynomial-time 
quantum algorithm solving the HSP over any Abelian group G is known [14J, using as its main tool the 
Fourier transform over Abelian groups. However, no solution is known for the general case of G non- Abelian. 
The case of non- Abelian groups is indeed of paramount importance because a polynomial-time solution for 
the HSP when G is the symmetric group (the group of all the permutations over a given set) would give 
an efficient quantum algorithm solving the graph isomorphism problem, a well known problem for which no 
polynomial-time classical algorithm is known. However, the symmetric HSP seems difficult, even for quantum 
computers, as shown by several negative results [HI [TUl dSl [T71 [TT]. Another fundamental instance of the 
non- Abelian HSP is the case where G is the dihedral group. Regev '22] has shown that an efficient algorithm 
solving the HSP over the dihedral group by the coset sampling technique would enable a quantum computer 
to find, in polynomial time, the shortest vector in a lattice, at least for a class of lattices for which no efficient 
classical algorithm is known. Besides the theoretical importance such a quantum algorithm may have, this 
algorithm would also give strong indications that recent cryptosystems proposed by Ajtai and Dwork [T] and 
Regev [53] , which are among the best candidates to replace RSA-like cryptosystems and assume the hardness 
of computational problems in lattices, are not secure against adversaries using quantum computers. That 
is why an important part of the research on the HSP focused on the case where G is the dihedral group. 
Notice that although no polynomial-time quantum algorithm is known solving this case, a quantum algorithm 
running in sub-exponential time has been discovered by Kuperberg [15j . and then improved by Regev [24j . 

The dihedral group can actually be defined as the semi-direct product -D„ = Z„ x Z2. Ettinger and 
H0yer [8] showed that considering the group Dn as the Abelian group Z„ x Z2, and applying the Abelian 
Fourier transform over it is sufficient to obtain relevant information about the hidden subgroup. However, 
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the post-processing proposed in [5] requires exponential-time to extract a set of generators of this subgroup 
from this information and thus the global algorithm is not efficient. If, for other values of n and q, the groups 
Z„ >^ "Lq is sufficiently Abelian, this method or other methods that failed to solve completely the dihedral case 
may work and it is one of the motivation for considering this class of semi-direct product groups. Indeed, 
Moore, Rockmore, Russell and Schulman |16j proposed a polynomial-time quantum algorithm based on the 
non- Abelian Fourier sampling method solving the HSP over the g-hedral groups Zp x where p and q are 
two primes such that q divides p — 1 and p/q — polyilogp). 

Other quantum algorithms are known solving the HSP over some classes of semi-direct product groups 
that are not semi-direct product of cyclic groups. Using the Fourier transform over Z^^. x Z2, Friedl, Ivanyos, 
Magniez, Santha and Sen [S] solved in polynomial time the HSP over the groups Z^j. x Z2 when p^ is a fixed 
prime power. Radhakrishnan, Rotteler and Sen [21 have shown that it is possible to solve in polynomial time, 
information-theoretically, the HSP over the Hciscnbcrg groups x Zp. Another class of semi-direct product 
groups for which efficient quantum algorithms are known corresponds to some wreath product groups j20| . 

A new promising method has been recently proposed by Bacon, Childs and van Dam [5], leading to efficient 
quantum algorithms solving the HSP over some groups of the form A x Z^, where A is an Abelian group. 
This method is fundamentally different from previous quantum algorithms for the HSP: it uses entangled 
measurements, corresponding to the so-called pretty good measurement, to identify the hidden subgroup. In 
particular, Bacon, Childs and van Dam's algorithm solves in polynomial time the HSP over the groups of 
the form Z„ x Zg, for any integer n and prime q such that n/q — polyilogn), thus improving the result [16j . 
They also present an efficient quantum algorithm solving the HSP over the Z^ x Zp, with fixed r, improving 
the result [ 21j (and solving completely the problem, not only information-theoretically). 

In this paper, we consider the HSP over the class of semi-direct product groups Zpi- x Zg, where p and q 
are prime. The definition of the semi-direct product depending on the choice of a homomorphism, we first 
analyze, in Section [3l the different possibilities for this homomorphism in function oip,r and q. 

Then, in Section [4l we present a polynomial-time quantum algorithm solving the HSP over the groups of 
the form Zpr x Zp, where p is an odd prime, even when the group is input as a black-box group with not 
necessarily unique encoding. Notice that, prior to our work, the only quantum algorithms for the non- Abelian 
HSP dealing explicitly with the case of black-box groups were the algorithms developed by Ivanyos, Magniez 
and Santha (13'. In particular, for an arbitrary black-box group it seems usually very difhcult to use methods 
like pretty good measurement or Fourier sampling because the explicit form of the generators is unknown. 

Although not the usual setting in HSP research, studying quantum computation over black-box groups is 
fundamental for the following reasons. First, it may be useful in proving separations, in the oracle model 
(where the oracle is the black box), of classical and quantum computation. Second, one of the most studied 
case in computational group theory is the setting of permutation groups. However, even in this setting, it 
can happen that factor groups appearing in the computation cannot be modeled as permutations groups and 
can be described only as black-box groups with not necessarily unique encoding. Thus, studying the HSP in 
the black-box context (especially with not necessarily unique encoding) may be very useful in order to design 
quantum algorithms for group computational problems over permutation groups as well. 

In Section O we finally consider the class of groups of the form Zp" x Zp. Unfortunately, the algorithm 
dealing with the case m = 1 cannot be generalized easily and we need other ideas. We present a quantum 
algorithm solving the HSP in polynomial time over these groups for any m, when the group is input in a 
special form, with more restrictions than in the general definition of black-box groups. 

We mention that Chi, Kim and Lee [7j have recently presented a quantum algorithm, based on our results, 
solving efficiently the HSP over a slightly larger class of semi-direct product groups. 

2 Definitions 

2.1 The hidden subgroup problem 

We first recall basic definitions and notations we will use in this paper. For any positive integer n, we 
denote by Z„ the additive group of integers modulo n and by Z* the multiplicative group consisting of the 
integers in the set {1, . . . , rt — 1} that are coprime with n. Given elements 171, . . . , ^s, we denote by (gi, . . . , Qs) 
the group generated by the generators gi, . . . ,gs- Given a group G, an element 5 G G, and a subgroup H we 
denote by gH the left coset of H, i.e., the set of elements {gh \ h G H}. Now, let us define the notion of an 
7J-periodic function. 
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Definition 1. Let G be a group, H a subgroup of G and X a finite set. A function f : G ^ X is said to be 
H -periodic if 

(i) f has the same value on all the elements of G in the same (left) coset of H, and 
(a) f has a different value on each (left) coset of H . 
We now define the hidden subgroup problem. 
Definition 2. The Hidden Subgroup Problem (HSP) is the following problem. Given as inputs 

• a group G given as a set of generators, and 

• a function f given as an oracle, which is H -periodic for an unknown subgroup H of G, 

output a set of generators for H . 

Notice that any group G can be represented by a set of at most 0(log|G|) generators, where \G\ is the 
number of elements of G. We thus say that an algorithm solves the HSP over G in polynomial time if it runs 
in time polynomial in log \ G\. 

2.2 Semi-direct product groups 

We now define the class of semi-direct product groups of cyclic groups. 

Definition 3. For any positive integers n and q, and any group homomorphism 4> from the group Iq into 
the group of automorphisms of Z„, the semi-direct product group Z„ >4ij,1jq is the set {(a, 6) | a S Z„, 5 S Z^} 
with the group product 

(ai,6i)(a2,62) («! + (/'(6i)(a2), 6i +&2)- 

Because (j) has to be a homomorphism and (t>{a) must be an automorphism for every a G Zg, ^ is completely 
defined by setting The group Z„ Zg is generated by the two elements x = (1, 0) and y = (0, 1). 

Using the fact that 4>{b){a) — a0(l)(l)'', we obtain the relation 

which will be used in almost all the group computations in this paper. 

2.3 Black-box groups 

We will mainly consider the case where the group G is input as a black-box group. A black-box group 
is a representation of a group where elements are represented by strings (of the same length). An oracle 
that performs the group product is available: given two strings representing two elements a and 6, the oracle 
outputs the string representing a ■ b. Moreover, we have another oracle that, given a string representing an 
element a, computes a string representing the inverse a~^. We will in Section |4] consider the most general case 
where the elements are not uniquely encoded. In this case an oracle is provided to check whether two strings 
represent the same element. We refer the reader to Babai and Szemeredi [4] for the complete definition of 
black-box groups. 

In the quantum computation setting, the oracles have to be able to deal with quantum superpositions. 
These quantum black-box groups have been studied by Ivanyos, Magniez and Santha [13J and Watrous 
[27l[28]. The concept is the same as above but the oracles realizing group operations are quantum. More 
precisely, we suppose that two oracles Vg and Vq are available, such that 

VGi\g)\h)) = \g)\gh) 

V6i\9)\h))^\g)\g-'h) 

for any g and h in G. In the case of a quantum back-box group with not necessarily unique encoding, we 
suppose that the oracle checking whether two strings represent the same element is a quantum oracle too, 
although a classical oracle (i.e. an oracle not dealing with quantum superpositions) is actually sufficient for 
the algorithms in this paper. 
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Notice that any efRcient black-box algorithm gives rise to an efficient algorithm whenever the oracle oper- 
ation can be replaced by efRcient procedures. Especially, when a mathematical expression of the generators 
input to the algorithm is known, performing group operations can be done directly on the elements in poly- 
nomial time (in log|G|) for almost all natural groups, including permutation groups and matrix groups. 
However, we stress that the converse is not generally true: efficient algorithms for a group problem can use 
information about the structure of the group that are not available in the black-box context. 

It is known that the HSP over an Abelian group input as a (quantum) black-box group with unique 
encoding can be solved in polynomial time by a quantum computer [19] . Notice that the same problem is 
open when the black-box group has not unique encoding. 

3 A Classification of Semi-direct Product Groups 

3.1 Number of possibilities for 

For given n and q, how many possibilities are there for defining a semi-direct product group Z„ Zg? 
The condition that 4> should be a homomorphism implies that (p{l){l)'^ = 1 mod n. Defining 0(1)(1) satisfying 
this condition is actually necessary and sufficient to define completely (p. Notice that the case 0(1)(1) = 1 is 
a trivial possibility that leads to the direct product Z„ x Zg. By considering the usual decomposition 

Z„ = Zpjsi X ■ ■ • X Zp|_i!fc , (1) 

we can determine the number of possibilities for Z„ x ^ Zg by determining the number of possible </> in the 
definition of the groups Zp^i x^ Zg. Therefore, it is sufficient to study only the case of n being a power of a 
prime number. Finding the number of acceptable definitions for (p thus reduces to finding elements of order 
q in Z* with n a prime power. In this paper, we will consider only the case q prime, which gives a clear 
classification into five classes of semi-direct product groups. 

Proposition 4. Let p and q be two prime numbers, and r an integer such that r > 1. The only cases where 
there exist non-trivial elements a of order q in Z*^ are the following three cases. 

(i) q\p — 1. There are exactly q — 1 distinct possibilities for a. 

(ii) r > 1, q = p ^ 2. There are exactly p — 1 distinct possibilities: a = tp^^^ + 1 for < t < p. 

(Hi) r > 1, q = p = 2. If r > 2 then there are exactly three distinct possibilities: 2^^^ + 1, 2^^^ — 1 and 
2"" — 1. If r = 2 then there is only only possibility: a = 3. 

Proof. First, we consider the case p ^ 2. Recall that the group Z*r is a cyclic group. Let u be a primitive 
element of Z*r. Then a can be written as u'' for some k less than the order of u. Since the order of u is 
p^~^(j> — 1), p^~^{p — 1) divides kq. As 1 < fc < p'^^^{p — 1) and we assume q is prime, q must be p or any 
prime that divides p— 1. If q = p, k must be of the form lp'^~^(p— 1) where I € {1, • • ■ ,p— 1}, so the number 
of non-trivial possibilities for a is p — 1. In fact, it can be checked that the order of a = tp"^^^ + 1 is p, for 
every 1 < t < p — I: these p — 1 values of a are thus the exact solutions. Else if q is a prime that divides 
p — 1, k must be lp^~^^^ where I £ {!,■ ■ ■ ,q — 1}. 

Next, we consider the case p — 2. Assume r > 2 (the case r = 2 is trivial: one unique solution, a = 3). 
As the order of group Zjr is 2'""^, the prime q must be 2. Since a G Zjr is odd, we denote a as 2'^l + 1 for 
fc G {1, • • • , r - 1} and odd I. From the condition — 2'"'+^Z(2'^^^Z + 1) -I- 1 = 1 mod 2^, we get fc = 1 or 
2r I 2'=+!. We thus obtain three cases: the case fc = 1 and I ~ 2''^^ — 1 (corresponding to a = 2''^^ — 1), and 
the case fc = 1 and I = 2''"^ — 1 (corresponding to a — 2'' — 1) and the case fc = r — 1 and I = 1 (corresponding 
to a = 2'-i 1). □ 

3.2 Classification of the semi-direct product groups Zpr x Zg 

We have determined the number of possibilities for Zpr x^ Zg as a function of p and q. However, many of 
these solutions (j) lead to isomorphic semi-direct product groups as stated in the next proposition. 

Proposition 5. The q — I semi-direct product groups that can be defined using the q — 1 solutions in the 
case (i) of Proposition^ are isomorphic. Similarly, in the case (ii), the p — 1 semi-direct product groups 
corresponding to = tp^~^ -\- 1 with < t < p are isomorphic. 
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Proof. For the case (i) of Proposition 01 denote by one of the homomorphisms. The other q — 2 homo- 
morphisms are actually defined by = 0i(l)(l)* for j e {2, . . . , g — 1} coprime with q. We define the 

one-to-one map Vl/i from Z„ x^^ Zq to Z„ xi^^ Zg by 'i>i{x'^y^) :— x°-y^^ , where i' is the inverse of i in Z*. It 
can be easily checked that 'i'i{x'^y^x"' ) = 5'i(a;°j/^)^'i(a;" ). is thus a group isomorphism. 

For the case (ii), let (pt be the homomorphism corresponding to (/)t(l)(l) = tp^~^ + 1. We define the one-one 
map from Z„ x^^ Zg to Z„ xi^^ Zg by 'i>t{x"'y^) :— x'^y^* where t' is the inverse of t in Z*. It can be easily 

checked that ■^tix^y^'x"' y''') = «'t(x''2/'')*f (a;'^'y''')- □ 

This implies that there are exactly five classes of non-isomorphic groups Zpr xi^ Zg, as stated in the next 
theorem. 

Theorem 6. The groups of the form l^r xi^ Zg, for p and q prime, and r > 1 can he classified in five 
non-isomorphic classes: 

Class 1. The q-hedral groups Zpr xi Zg for p and q primes satisfying q\p — 1, and r > 1; 

Class 2. The dihedral groups — {x,y \ x'^ = 2/^ = Jjx ~ x^ ~^V) for r > 2; 

Class 3. The quasi- dihedral groups QD2r = {x,y\x'^ = iP' = e- = ^^v) for r > 2; 

Class 4. The groups Pp^r = {^il/ I ~ 2/^ — e,?/a; = x'^ ^^y) for p prime and r > 2, except the case 
p^r ^2; 

Class 5. The direct product groups TL^t x Zg for p and q prime, and r > 1. 
Moreover, the five above classes are disjoint. 

Proof. Direct consequence of Proposition [Hand Proposition [5] Class 1 corresponds to the case (i) in Propo- 
sitionlH Class 4 corresponds to the case (ii) and to the solution 0(1)(1) = 2'"^^ + 1 of the case (iii). Class 2 
corresponds to = 2'' — 1 and class 3 to 0(1)(1) = 2^^^ — 1 in the case (iii). Class 5 corresponds to 

the trivial solution 0(1)(1) = 1. □ 

3.3 HSP over semi-direct product groups 

As mentioned above, the number of possibilities for the group Z„ x Zg, for q prime, can be obtained directly 
using the decomposition of Z„ of Equation ([T]) . Notice that the decomposition itself can be found in quantum 
polynomial time [6j. However, a subgroup of Gi x • • • x Gm is not necessarily of the form Hi x ■ ■ ■ x Hm, 
with Hi subgroup of Gi and, thus, solving the HSP over groups of classes 1 to 5 is not sufficient to solve the 
HSP over any semi-direct product group Z„ x Zg. But, groups of classes 1 to 5 being basic blocks in the 
construction of semi-direct product groups, we believe it is fundamental to study the complexity of solving 
the HSP over groups of each class. 

The semi-direct product groups first studied by Moore, Rockmore, Russell and Schulman [16] correspond 
to class 1 with r = 1. These groups are groups of afhne functions, where the semi-direct product of two 
elements corresponds to the composition of the associated functions. In [16j a polynomial-time quantum al- 
gorithm using the so-called strong Fourier sampling method was proposed that gives an information-theoretic 
characterization of any hidden subgroup of this class of group. Moreover, when q is sufficiently large, in the 
sense that p/q = poly(\ogp), their algorithm returns in polynomial time a set of generators of the hidden 
subgroup and thus completely solves the problem. 

Bacon, Childs and van Dam [5] then removed the restriction on r and obtained a polynomial time quantum 
algorithm for the HSP over the groups Zpr x Zg (of classes 1 to 5) when p^ /q = poly{\og{p^)). 

The HSP over dihedral groups and quasi-dihedral groups (classes 2 and 3) is one of the most important 
open problem of HSP research. In the next section of this paper, we study the semi-direct product groups of 
class 4 and present a polynomial-time quantum algorithm solving the HSP over them. 

4 Quantum Algorithm solving the HSP over Pp r 

In this section, we present our quantum algorithm solving, in polynomial time, the HSP over all the groups 
of class 4. We recall that, as in Theorem [6l by Pp^r we mean the group {x,y \ x^ = yP — e,yx ~ x^ ^^y) 
for p prime and r > 2, and that the case p = r — 2 is excluded. 
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4.1 Structure of Pp ,. 

First, using the relation y'^x'^ — a;"(''P ^^-'y'', it can be easily checked that 

ix^y'')" = x'''^''+^^''P^''^y'"' (2) 
for any integers a, b and c. We are now ready to enumerate the different subgroups of Pp^r- 
Proposition 7. The subgroups of Pp,r are the following: 

• {x^ ) for < i < r, 

• {x^ , y) for < i < r, 

• {x^P^ y) with < j < r and 1 < t < p. 

Proof. For any subgroup H of Pp^r, H fi {x) is of the form {x^ ). We consider the different possibilities when 
H ^ {x'P ). li y E H then, necessarily, H = {x^ ,y). Suppose otherwise that y ^ H. Then there exists 
fc e {1, . . . - f } such that x'^y e H. Then 



{x'^yr = 

and we see that 



x'^P ifp^2 



{{x'^yr) = {x'P), 

because we do not consider the case p = r — 2. This implies that p^\kp and thus x^p y ^ H with 1 < t < p. 
It can be checked that the p — I subgroups {x^p y), for 1 <t < p, are distinct. □ 

Proposition 8. All the subgroups of Pp^r are Abelian, except the trivial subgroup {xP ,y) ~ Pp,r- The only 
subgroups of Pp^r that are not normal are the p subgroups {x^p y) for < t < p. 

Proof. For the first part, notice that all the subgroups, except the trivial subgroup Pp,r, contain no element 
of the form x'^y with 1 < k < p and thus every two elements commute. We leave to the reader the proof of 
the second part, tedious but straightforward. □ 

4.2 The algorithm 

As shown in Proposition [71 the group Pp^r has 2(r + 1) + r{p — 1) = 0{pr) subgroups. In the case where 
p is polynomial in log (p''^^), the HSP can be solved classically by checking all the subgroups. However, this 
method does not work for general p. 

Our algorithm is based on the structure of Pp^r, resulting from Proposition[8] Using this structure, methods 
similar to Ettinger-H0yer reduction [8], can also be used to solve the HSP over Pp.r, as described by Bacon, 
Childs and van Dam [5] . However, our algorithm solves the HSP even when the group is input as a black-box 
group with not necessarily unique encoding. More precisely, the problems in this setting are the following. 
With black-box groups, it is difficult, and sometimes impossible, to find generators of an arbitrary subgroup 
and thus Ettinger-H0yer reductions cannot be directly used. For example, the group Pp^r can be input both 
by X and y or by a; and xy. It is thus difficult to find generators for a specific subgroup (e.g., the subgroup (y)) 
for an arbitrary black-box representation (where the form of the generators is unknown). Moreover, when 
the encoding of the black-box group is not unique, another difficulty appears: even the quantum Fourier 
sampling approach to find the order of elements in a group cannot be directly used because it is possible 
that, for example, the encodings for the elements of the second period can be different from the encodings of 
elements in the first period, although the elements are the same. 

We now present our main result. 

Theorem 9. Assume that Pp ^ is input as a black-box group with not necessarily unique encoding. Then 
there exists a quantum algorithm finding, in polynomial time, the hidden subgroup. 
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Proof. Let H be the subgroup hidden, through the function /, in Pp,r. Any element in Pp^r of order is of 
the form x^y^ with p\i,0<j<p — 1, and any generating set of Pp,r contains at least one element of order 

and an element that does not commute with that element. Such two elements can be found by testing all 
the elements of the generating set. Let the former be x"'y'' and the latter be y'' . For these elements not 
to commute with each other, it is necessary and sufficient that ab' ^ a'b mod p. 

There are two possibihties, as implied by Proposition [S] 
Case 1: iJ is normal in Pp r 
Case 2: H = (a;*P''"'y) for < t < p 

We now present two polynomial-time quantum algorithms dealing with each of the two cases. Of course, we 
do not know which of the two cases holds but this does not matter. We run the two algorithms obtaining two 
sets of potential generators for H and output all those that are indeed in H (this can be tested by checking 
whether the value of / on them is /(e)). 

Case 1: iJ is normal in Pp,r- 

We run the algorithm for the normal HSP given by Ivanyos, Magniez and Santha [T3] and output a set of 
generators of H. 

Case 2: iJ = {x^p''^' y) for < i < p and 6' ^ mod p. 

In this case, _ff is a subgroup of the Abelian group {x^ , y). The problem can be solved easily if explicit 
generators are known. However, in the case of Pp^r being a black-box group, this is not immediate. We 
show how to find good generators of this subgroup that enable to use the Abelian Fourier sampling method. 
Denote X = x°'y^ and Y = x"" y^ . We first find an integer / such that {X^f = . Expanding this using 
Equation ([2]) gives 

al = a' raoA p^~^ \ip^2 

al'yhT-'^ + 1) = a'(&'2'-2 + 1) mod 2'-i if p = 2 

and guarantees the existence and unicity modulo p^^^ of such an /. Now, defining G' ~ Zpr-i x Z^r-i, 
H' = ((/,-l)) and /'(u,w) = j {{X^Y {Y^y) , we see that /' is iJ'-periodic over G . Running the Abelian 
HSP algorithm enables to find H' and thus / in polynomial time. 

Now, let us first consider the case p ^ 2. By using we can obtain an element Y' of the form cc"^ y^ 
where /3 ^ mod p: 

Y' = X-^Y = x"^''"'/-''' 



where 



1 — 1 /( / 1) — 1,1 111 r— 1 

ap = a ^ bp — at + a — a bip 



Notice that b' — bl cannot be a multiple of p because, since a' = al mod p, this would contradict the hypothesis 
ab' ^ a'b mod p. Thus, 

{X-p'''\y') = {x-P'''\y) ^Zp-Klp 

is an Abelian group (see Proposition [5]) and y) is a subgroup of it. We thus use Abelian Fourier 

sampling over {X^ , Y') and output a set of generators for H . 

If p — 2, then, by a similar argument, Y' = X^'Y is of the form x"''' y^ where (3^0 mod p. Then 

(XP^'X) = {xP''",y)^Zp2 xZp 

is an Abelian group (here, we use our convention that the case p = r = 2 is excluded) and (x*^ y) is a 
subgroup of it. We thus use Abelian Fourier sampling over {Xp'' ^ ,Y') and output a set of generators of 
H. □ 

5 Algorithm Solving the HSP over x Zp 

We finally present a quantum algorithm solving the HSP algorithm over the groups of the form Z^" x Zp, 
for p prime, where Zp acts separately on each coordinate of Z^ as in Pp^r- Formally, Zp" x Zp is the group 

generated by m -I- 1 elements xi,. . . ,Xm and y, where {xi, . . . ,Xm) — and yxi — x^ ^^y for each 
i G {1,...,to}. 
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We will now show that, although Z™ x Zp is not an Abelian group, applying the Abelian Fourier transform 
to it (i.e., the Fourier transform over to the group Z^ x Zp) is sufficient to get enough information to find 
the hidden subgroup. 

We first state a general useful proposition. 

Proposition 10. Let G be a black-box group, H a hidden subgroup of G and f an H -periodic function. If 
there exists a group G' over which a quantum polynomial-time solution for the HSP is known and a bijection 
TT : G ^ G' verifying the following conditions 

(i) Tr{H) is a subgroup of G' ; 

(ii) f o Tr~^ is Tr{H) -periodic; 

(Hi) there is a polynomial- size quantum circuit that, for any g' £ G' , maps \g') to \wgi), where Wgi is a 
string representing Tr~^(g') (in the black-box representation of G); 

then H can be found by a quantum computer in polynomial-time. 

Proof. The algorithm for the HSP over G' is used with, as input, the 7r(7J)-periodic function / o tt^^. This 
gives, in polynomial time, a set of generators for H' . This set is used to create random elements of H' using 
standard methods [2l[3], which are then mapped using 7r~^ to obtain almost uniformly random elements of 
H. A polynomial number of such elements is, with high probability, a generating set for H. □ 

The above proposition is stated in the most general context of G being a black-box group but, in this 
case, the condition (iii) is problematic. Indeed, even if such a bijection Tr~^ exists, it seems very difficult to 
implement it when the explicit form of the generators for G are unknown. For Z^ xi Zp, we do not know how 
to do this in the black-box framework and we need to have some knowledge of the form of the generators. We 
will solve the HSP over these groups when the input is given as a set of generators for Z^ and one generator 
for Zp. This means that we can isolate the left part and the right part of the semi-direct product. More 
precisely, our result is as follows. 

Theorem 11. Consider Z^. x Zp being input as a black-box group with unique encoding under the form of 
a set of generators o/ Z^ x {0} and a generator of {0} x Zp. Then there is a polynomial-time quantum 
algorithm finding the hidden subgroup H . 

Proof. Denote A — Ty- x {0}, y the generator of Z,„ and G' — I/pl x Zp = (zi, . . . , z^, Zm+i). From the set 
of generator of A, we compute a minimal set of generators (gi, . . . , of A, i.e., m generators that generate 
A. Notice that this is possible, using the algorithm for Abelian membership testing by Ivanyos, Magniez and 
Santha [13], because the encoding is unique. Let tt be the following one-one map between Z^ x Zp and G' . 

This map satisfies condition (iii) of Proposition 1101 because gi, . . . , gm, y are known. 

We now prove that (i) holds too. First, notice that, for any subgroup H of Z^ x Zp, there are two 
possibilities: _ff is a subgroup oi A oi H = {H n A, gy) for some g £ A. Indeed, suppose that H cannot be 
written under the form H = {H n A, gy). This implies that H ~ {H A, giy, . . . , gky) for gi, . . . ,gk G A, 
with A; > 1. Then, the elements {giy)~^ = y^~^gi(^ are in H too. Thus gig~^ £ H Ci A for alH G {2, . . . , k}, 
and {H n A, giy, . . . , gky) = {H (1 A, giy), which leads to a contradiction. 

If is a subgroup of A, then (i) holds trivially. Consider the case H = {H n A,gy). From Equation ([2]), 
for any integer c, 

(32/)= = 3'^^""5V- 

From the fact g^ £ {{gy)^) < HnA, we obtain that g ^ ^ £ HDA. Thus H is the subgroup constituted 
by all the elements of the form g'g'^y'^ where g' £ H D A and c G {0, • • • ,p — 1}, and 

niH) = {7riHnA),Tr{gy)), 

which is a subgroup of G'. This proves condition (i). 
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A similar argument proves that any coset of H in ZJ^ x Zp is mapped into a coset of tt{H) in G", and more 
precisely any two identical cosets are mapped into identical cosets. Thus, / o tt"^ is 7r(_ff)-periodic and (ii) 
holds as well. 

The HSP over the Abelian group G' can be solved in polynomial time by a quantum computer. Using 
Proposition IIOI we obtain a polynomial-time quantum algorithm solving the hidden subgroup problem over 
Z™ X Zp. □ 
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